Fandango, Credit Karma Settle With FTC Over App Security Flaws

The FTC has cracked down on Credit Karma and Fandango for putting users' personal information at risk.

The mobile apps of credit report provider Credit Karma and movie ticket seller Fandango may have exposed millions of consumers' sensitive personal information, including credit card details, according to the Federal Trade Commission.

The agency said the companies failed to take "reasonable steps" to secure their mobile apps, leaving them vulnerable to so-called "man-in-the-middle" intrusions, which could have allowed an attacker to intercept any information customers submitted through the app.

This includes: credit card details, Social Security numbers, names, birthdates, home addresses, phone numbers, email addresses, and passwords. In Credit Karma's case, the lapse may have also exposed credit scores, and other credit report details such as account names and balances.

Both companies have settled charges with the FTC that they failed to safeguard users' information and misrepresented the security of their apps. The settlements require Fandango and Credit Karma to establish mobile app security programs and undergo independent security assessments every other year for the next 20 years.

The agency charged that the companies had somehow disabled SSL certificate validation, an industry standard that would have verified that the apps' communications were secure. The companies could have caught and/or prevented the vulnerabilities with basic security tests.

Fandango's app went without SSL for nearly four yearsfrom March 2009 to February 2013but the company assured users during checkout that their credit card information was secure. During the same time, the company had no process for receiving vulnerability reports from security researchers, and consequently missed opportunities to fix the flaw.

Credit Karma, meanwhile, also promised users that its app used SSL when it did not, the FTC said. A user even warned Credit Karma about the flaw in its iOS app, then the company failed to test its Android app for the same error before launch. A month after receiving that warning, the company released its Android app with the exact same vulnerability.

"Consumers are increasingly using mobile apps for sensitive transactions," FTC Chairwoman Edith Ramirez said in a statement. "Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption. Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps."

Angela has been a PCMag reporter since January 2012. Prior to joining the team, she worked as a reporter for SC Magazine, covering everything related to hackers and computer security. Angela has also written for The Northern Valley Suburbanite in New Jersey, The Dominion Post in West Virginia, and the Uniontown-Herald Standard in Pennsylvania. She is a graduate of West Virginia University's Perely Isaac Reed School of Journalism.
More »